b8ab79a550cb9dd8d45783c0f55e49cf683d1c2b32e785a08128712295008154 | Triage

Analysis

max time kernel
44s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 16:05

Sharing

Report Analysis Logs

General

Target

Documento.dll
Size

642KB
MD5

66277003da051e53efed47c8954ac015
SHA1

d94807fb05e8604d8d7c6a0eeac8ecf23dcd8cbf
SHA256

a83f593a5204dad08856c89cd941a3b5ece1e7f13d2433c6343b9cd9ed7a73cb
SHA512

23c47b50ab2207524b9941f3ff1bf2cf4d08db3985eef4c83d4a2d8b8cdfa8c060b71717e5deeb715b29093832ba02128dbf8b6ba52c8262e53e19357971702c
SSDEEP

12288:xKxfRvv3Mt6Vtg6a2hPRmwB1iCgJg0GF2btvYm3+Aa:xKxpvv3Mt6Vu72h5mQgd40YW9

Score

8^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
behavioral1/memory/872-56-0x0000000001FC0000-0x0000000002121000-memory.dmp	vmprotect
behavioral1/memory/872-57-0x0000000001FC0000-0x0000000002121000-memory.dmp	vmprotect

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1440 wrote to memory of 872	1440	rundll32.exe	rundll32.exe
PID 1440 wrote to memory of 872	1440	rundll32.exe	rundll32.exe
PID 1440 wrote to memory of 872	1440	rundll32.exe	rundll32.exe
PID 1440 wrote to memory of 872	1440	rundll32.exe	rundll32.exe
PID 1440 wrote to memory of 872	1440	rundll32.exe	rundll32.exe
PID 1440 wrote to memory of 872	1440	rundll32.exe	rundll32.exe
PID 1440 wrote to memory of 872	1440	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Documento.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Documento.dll,#1
2⤵
PID:872

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/872-54-0x0000000000000000-mapping.dmp

Download
memory/872-55-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/872-56-0x0000000001FC0000-0x0000000002121000-memory.dmp

Filesize
1.4MB

Download
memory/872-57-0x0000000001FC0000-0x0000000002121000-memory.dmp

Filesize
1.4MB

Download